Need help on NAT.

klncy2014 — Tue, 12 Mar 2019 01:56:10 GMT

Hello folks,

I still messing about with my GSN3 lab here. My topolgy is like this : (cloud)-----(router)-----(ASA FW)----(SW)------LAN.

I can ping out from the router and from the ASA firewall, but I cant figure it out how to make my LAN to ping outside. I searched too.

I greatly appreciated!!!

Here are my basic config on the FW and Router:

hostname ciscoasa

enable password 8Ry2YjIyt7RRXU24 encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

interface GigabitEthernet0

nameif outside

security-level 0

ip address 10.10.10.1 255.255.255.0

interface GigabitEthernet1

nameif inside

security-level 100

ip address 172.168.1.1 255.255.255.0

interface GigabitEthernet2

shutdown

no nameif

no security-level

no ip address

interface GigabitEthernet3

shutdown

no nameif

no security-level

no ip address

interface GigabitEthernet4

shutdown

no nameif

no security-level

no ip address

interface GigabitEthernet5

shutdown

no nameif

no security-level

no ip address

ftp mode passive

object network inside_mapped

subnet 172.168.1.0 255.255.255.0

object network internal_lan

subnet 172.168.1.0 255.255.255.0

pager lines 24

mtu outside 1500

mtu inside 1500

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

route outside 0.0.0.0 0.0.0.0 10.10.10.2 1

route outside 0.0.0.0 0.0.0.0 192.168.137.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

telnet timeout 5

ssh timeout 5

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

class-map inspection_default

match default-inspection-traffic

policy-map global_policy

class inspection_default

inspect icmp

inspect icmp error

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

call-home

profile CiscoTAC-1

no active

destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

destination address email callhome@cisco.com

destination transport-method http

subscribe-to-alert-group diagnostic

subscribe-to-alert-group environment

subscribe-to-alert-group inventory periodic monthly

subscribe-to-alert-group configuration periodic monthly

subscribe-to-alert-group telemetry periodic daily

crashinfo save disable

Cryptochecksum:d751984bd942d8b192f58d6b2e8afe8a

Router1:

Current configuration : 1108 bytes

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

hostname R1

boot-start-marker

boot-end-marker

no aaa new-model

memory-size iomem 5

ip cef

no ip domain lookup

ip domain name lab.local

multilink bundle-name authenticated

interface FastEthernet0/0

description To Internet

ip address dhcp

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

interface FastEthernet0/1

description inside edge router

ip address 10.10.10.2 255.255.255.0

ip nat inside

ip virtual-reassembly

duplex auto

speed auto

ip route 0.0.0.0 0.0.0.0 192.168.137.1

no ip http server

no ip http secure-server

ip nat inside source list 1 interface FastEthernet0/0 overload

access-list 1 permit 172.168.0.0 0.0.255.255

access-list 1 permit 10.10.10.0 0.0.0.255

access-list 1 permit 172.168.1.0 0.0.0.255

control-plane

line con 0

exec-timeout 0 0

privilege level 15

logging synchronous

line aux 0

exec-timeout 0 0

privilege level 15

logging synchronous

line vty 0 4

Re: Need help on NAT.

Jouni Forss — Tue, 11 Jun 2013 13:48:22 GMT

Hi,

Your router doesnt have a route for your LAN network behind the ASA. Since the ASA is not doing Dynamic PAT or similiar at the moment the LAN will show with its original IP address to the Router so it needs a route pointing back towards the ASA to be able to return the ICMP Echo reply messages back to LAN users.

Try adding

ip route 172.168.1.0 255.255.255.0 10.10.10.1

On the router

Also the ASA seems to have some route that is not needed

no route outside 0.0.0.0 0.0.0.0 192.168.137.1 1

Hope this helps

Remember to mark the reply as the correct answer if it answered your question.

Ask more if needed

- Jouni

Need help on NAT.

klncy2014 — Tue, 11 Jun 2013 15:03:05 GMT

Hi JouniForss,

Thanks a million buddy.. You never failed

Thank you!

topic Need help on NAT. in Network Security

Need help on NAT.

Re: Need help on NAT.

Need help on NAT.